Giters

blacklanternsecurity / bbot

A recursive internet scanner for hackers.

Home Page:https://www.blacklanternsecurity.com/bbot/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Trufflehog is not version locked

domwhewell-sage opened this issue Β· comments

commented

Describe the bug
The latest version of trufflehog 3.78.1 (released 2 days ago) is no longer finding our test unverified secret

~/.bbot/tools/trufflehog git file:///tmp/test_keys/
πŸ·πŸ”‘πŸ·  TruffleHog. Unearth your secrets. πŸ·πŸ”‘πŸ·

2024-06-13T20:39:44+01:00       info-0  trufflehog      running source  {"source_manager_worker_id": "xpxBT", "with_units": true}
2024-06-13T20:39:44+01:00       info-0  trufflehog      scanning repo   {"source_manager_worker_id": "xpxBT", "unit": "/tmp/test_keys/", "unit_kind": "dir", "repo": "/tmp/test_keys/"}
βœ… Found verified result πŸ·πŸ”‘
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@the-internet.herokuapp.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 2
Timestamp: 2024-06-13 18:20:06 +0000

2024-06-13T20:39:45+01:00       info-0  trufflehog      finished scanning       {"chunks": 2, "bytes": 236, "verified_secrets": 1, "unverified_secrets": 0, "scan_duration": "1.070352313s", "trufflehog_version": "3.78.1"}

Nothing has changed on our side but truffle hog automatically goes off and does a sneaky update unless you have the --no-update flag on

By rolling back the version on my machine and using this flag I was able to get the events to be emitted and the tests to pass

~/.bbot/tools/trufflehog --no-update git file:///tmp/test_keys/
πŸ·πŸ”‘πŸ·  TruffleHog. Unearth your secrets. πŸ·πŸ”‘πŸ·

2024-06-13T20:37:22+01:00       info-0  trufflehog      running source  {"source_manager_worker_id": "Lfvfr", "with_units": true}
βœ… Found verified result πŸ·πŸ”‘
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@the-internet.herokuapp.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 2
Timestamp: 2024-06-13 18:20:06 +0000

Found unverified result πŸ·πŸ”‘β“
Verification issue: lookup internal.host.com on 172.29.64.1:53: no such host
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@internal.host.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 5
Timestamp: 2024-06-13 18:20:06 +0000

2024-06-13T20:37:23+01:00       info-0  trufflehog      finished scanning       {"chunks": 2, "bytes": 236, "verified_secrets": 1, "unverified_secrets": 1, "scan_duration": "1.011314663s", "trufflehog_version": "3.75.1"}

We should add the --no-update flag to the command in the trufflehog module so it is version locked to the one specified in the module options that way we can ensure the version that is in use is one that is compatible with bbot and has not introduced an bugs